set server_version to TLS 1.3
Change-Id: Id4d3d5d21ae996f447d826e98c0cf60880e7c0ce
Reviewed-on: https://code.wireshark.org/review/18171
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Add also special case on hello key_share extension
Ping-Bug: 12779
Change-Id: Ib8e2dd060f322c2404a8afa9b8cb70de7c2c65b7
Reviewed-on: https://code.wireshark.org/review/18093
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I947dc83e3b1b853873b5158f234e44ef933c3bcc
Reviewed-on: https://code.wireshark.org/review/17982
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
If ssl_association_add is passed a NULL app_handle argument, it will
trigger DISSECTOR_ASSERT which fails due to the bad wmem scope
(wmem_packet_scope). Arguably DISSECTOR_ASSERT should not be used there,
but its alternative is g_warning/g_assert are not much different...
Fix the crash (assertion failure) by checking that the UAT-supplied
protocol is really valid. Normally the post_update_cb should not be
invoked if any of the fields are invalid, but that requires larger
changes in the Qt UAT dialog code.
Change-Id: Ie245213b650b1de9640db8dadd08f3ed2bff335f
Reviewed-on: https://code.wireshark.org/review/17906
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The "name_length >= alpn_proto->proto_name_len" condition always failed
to match for short names (like "h2" where the reported length is 2, but
the proto_name_len would be 3).
This fixes recognition of HTTP/2 traffic, without this patch it would be
interpreted as http-over-tls as reported on
https://ask.wireshark.org/questions/55720/how-to-install-http2-dissector-plugin
Change-Id: Idc3eae0b6d593c8f3c435230ef76da90a4b1e7fc
Reviewed-on: https://code.wireshark.org/review/17907
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
A dissector bug was reported:
epan/dissectors/packet-ssl-utils.c:1615: failed assertion "data"
and fair enough, the MAC Key is indeed NULL because of our special
handling for NULL ciphers. Just ignore the MAC key then.
Change-Id: I12d2be5e84520badb44a99fc965c48c3afa89346
Fixes: v2.3.0rc0-697-gb1d36fe ("ssl-utils: remove block and key sizes from cipher suites table")
Reviewed-on: https://code.wireshark.org/review/17903
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
and also move on the top and not too far from ssl_version_short value_string
Change-Id: I9012d0d0839fd29da500a7f37a83ecc982f0fb5b
Reviewed-on: https://code.wireshark.org/review/17887
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
also remove padding function (don't needed)
Bug: 12922
Change-Id: Ie049ee21193ec82b8dc873a7dff78e9d058c7935
Reviewed-on: https://code.wireshark.org/review/17825
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
with TLS 1.3, there is a new 'Hello' type (Hello Retry Request)
Change-Id: If7a11b70a5b0a69044126c50e1d6ab4e1d443f77
Reviewed-on: https://code.wireshark.org/review/17573
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
There is no session_id and compression method with TLS 1.3 Server Hello
Also no time on first bytes of random field
Bug: 12779
Change-Id: Id79221c2ad50695cf6d46cd5c9255deab99e2d2c
Reviewed-on: https://code.wireshark.org/review/17225
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
gcry_cipher_get_algo_keylen() returns a size_t, which is bigger than a
guint on most if not all 64-bit platforms; however, if the key is bigger
than 2^32 bytes, we have bigger problems, so just cast it down.
Change-Id: Ia7c97d2742686daf2e42f634c6e349cb580fa9df
Reviewed-on: https://code.wireshark.org/review/17731
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Ensure that Libgcrypt and zlib memory are freed when closing a pcap.
Change-Id: I420f9950911d95d59ff046fee57900ca6f7e9621
Reviewed-on: https://code.wireshark.org/review/17718
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
There was an implicit dependency between the block size in the cipher
suites table and the size expected by Libgcrypt. Just remove the block
size from the table and rely on the value from Libgcrypt to avoid the
risk of mismatching values (which could lead to a buffer overflow).
While at it, remove the size of the key ("bits") and the size of key
material ("eff_bits") too. Move the key material sizes for export
ciphers away from the table and use byte quantities instead of bits.
Additionally, this fixes an issue where 8 bytes of uninitialized stack
memory is written to the SSL debug log for stream ciphers like RC4.
The size of the Write Key is also corrected for export ciphers, now it
prints the actual (restricted) number of bytes that are used.
Change-Id: I71d3c83ece0f02b2e11e45455dc08c41740836be
Reviewed-on: https://code.wireshark.org/review/17714
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
ssl_cipher_init should only set the IV for CBC cipher suites. NULL
cipher suites will not invoke gcry_cipher_setiv and AEAD ciphers will
set the nonce in a different place anyway.
Fixes a buffer overrun (read) by 12 bytes for any AES-CCM and AES-GCM
cipher suite because the "block size" is set to 4 bytes while the
reported block size for AES is 16 bytes (128 bit). (The four bytes are
the "salt" part of the nonce that is extracted from the "client/server
write IV" part of the key block.)
Observed with the DTLS packet capture from
https://ask.wireshark.org/questions/55487/decrypt-application-data-pending-dtls-abbreviated-handshake-using-psk
Change-Id: I4cc7216f2d77cbd1eac9a40dca3fdfde7e7b3680
Reviewed-on: https://code.wireshark.org/review/17713
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Use new heuristics based on the EAP Code field to determine whether a
field originates from the client or server. This is more reliable than
using "pinfo->match_uint" for two reasons: (1) the heuristics dissector
does not set "match_uint" (resulting in an arbitrary match on the
previous value) and (2) with EAP over EAPOL, there is no matching port
number (resulting in two conversations with different addresses and port
number zero).
To fix TLS decryption, make sure to create a single conversation for
both direction and allow the port type to be PT_NONE (to avoid reporting
all packets as originating from the server).
Bug: 12879
Change-Id: I7b4267a27ffcf68bf9d3f6a90d6e6e2093733f51
Reviewed-on: https://code.wireshark.org/review/17703
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Append the length to the extension and display the contents of
unknown extensions as bytes.
Change-Id: Iba1204a1d5e187f28cb41c4369b10eeb86e6b43a
Reviewed-on: https://code.wireshark.org/review/17265
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The protocol version from a SSL/TLS record contains the minimum
supported SSL/TLS version and is the best guess for Client Hello
handshake messages if no authorative version is available.
By considering the version from the conversation for the initial
col_set_str call, we can also remove some other calls down the road.
Change-Id: I4be25f5c9057ffd0abcea7280d826867c135fed7
Reviewed-on: https://code.wireshark.org/review/17490
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
A handshake starts a new session, be sure to clear the previous state to
avoid creating a decoder with wrong secrets.
Renegotiations are also kind of transparant to the application layer, so
be sure to re-use an existing SslFlow. This fixes the Follow SSL stream
functionality which would previously ignore everything except for the
first session.
The capture file contains a crafted HTTP request/response over TLS 1.2,
interleaved with renegotiations. The HTTP response contains the Python
script used to generate the traffic. Surprise!
Change-Id: I0110ce76893d4a79330845e53e47e10f1c79e47e
Reviewed-on: https://code.wireshark.org/review/17480
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
In a two-pass dissection with renegotiated sessions, the
is_session_resumed flag is not updated according to the current protocol
flow. Fix this by performing detection of abbreviated handshakes in
all cases, do not limit it to the decryption stage (where ssl != NULL).
Reset the resumption assumption after the first ChangeCipherSpec
(normally from the server side, but explicitly add this in case client
packets somehow arrive earlier in the capture). This should not have a
functional effect on normal TLS captures with Session Tickets.
Bug: 12793
Change-Id: I1eb2a8262b4e359b8c1d3d0a1e004a9e856bec8c
Reviewed-on: https://code.wireshark.org/review/17483
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This name is displayed in the SSL prototcol tree (Application Data
Protocol: http-over-tls), rename to avoid possible user confusion.
Modify the SSL dissector such that both "http" and "http-over-tls"
invoke the same dissector function.
Change-Id: I2d52890a8ec8fa88b6390b133a11df607a5ec3dc
Reviewed-on: https://code.wireshark.org/review/17481
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
If the heuristics fail to detect a resumed session, then it must mark
the session as a normal session. This will also prevent from
applying secrets that do not apply to this renegotiated session.
Bug: 12793
Change-Id: I90f794a7bbaf7f1839e39656ac318183ecf48887
Reviewed-on: https://code.wireshark.org/review/17376
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Implementing proper return value check, as done for other gnutls function
calls, catches (unlikely) errors and allows C++ compatible build.
Change-Id: Idf5bd3fe6e68d006a469fe72663dea1c7e2d17f7
Reviewed-on: https://code.wireshark.org/review/16865
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When the cipher suite for the current decryption session is changed via
a Server Hello, it should not change the cipher suite field of the
decoder. Otherwise there is a mismatch between the cipher suite and the
capabilities of the decoder.
Fix this issue by making the decoder hold a pointer to the (constant)
SslCipherSuite structure rather than making a copy (and have the decoder
point to that data).
I also considered resetting the decoder once the cipher suite changes in
the Server Hello, but that breaks renegotiation.
Bug: 12665
Change-Id: Ieff38a535cd111d95933ec383378643b6fbab7bf
Reviewed-on: https://code.wireshark.org/review/16674
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
I guess people don't change the SSL debug file name that often--this bug has
been here since 2006...
Change-Id: I3db053dd7e0cb9a9e4ae49a310e956b3c77c99f6
Reviewed-on: https://code.wireshark.org/review/16236
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Done for performance improvements.
This could probably be done in checkAPIs.pl, but this was just
a quick manual check with grepping.
Change-Id: I91ff102cb528bb00fa2f65489de53890e7e46f2d
Reviewed-on: https://code.wireshark.org/review/15751
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
If the IMAP TCP stream doesn't include the STARTTLS command/response
the IMAP dissector will try to dissect TLS ciphertext as IMAP protocol
plaintext.
Add heuristic check for SSLv3/TLS and if the heuristic matches register
dissect_ssl() as the dissector for that IMAP session.
Change-Id: If84eca22315193a306e93e66c608de6634e6cd85
Reviewed-on: https://code.wireshark.org/review/13570
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
This allows keeping the code-sharing with the static linking.
This "fixes" a hypothetical ABI mismatch with wsutil and avoids pulling more
external dependencies to wsutil than strictly necessary.
A nice side-effect is that libwsutil no longer depends on version.h.
Follow up to f95976eefc.
Change-Id: I8f0d6a557ab3f7ce6f0e2c269124c89f29d6ad23
Reviewed-on: https://code.wireshark.org/review/15002
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Replace some function calls with their non-deprecated equivalents so
that we can remove _CRT_NONSTDC_NO_DEPRECATE from CMakeLists.txt and
config.nmake.
Leave _CRT_SECURE_NO_DEPRECATE in place. Removing it failed with 145
warnings and 72 errors.
Note that we could probably improve startup performance by using wmem
in diam_dict.*.
Change-Id: I6e130003de838aebedbdd1aa78c50de8a339ddcb
Reviewed-on: https://code.wireshark.org/review/14883
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Try to improve address API and also fix some constness warnings
by not overloading the 'data' pointer to store malloc'ed buffers
(use private pointer for that instead).
Second try, now passing test suite.
Change-Id: Idc101cd866b6d4f13500c9d59da5c7a38847fb7f
Reviewed-on: https://code.wireshark.org/review/13946
Petri-Dish: João Valverde <j@v6e.pt>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
Do not use the client-supplied session ticket for decryption when the
session is not resumed as the cached key (associated with that ticket)
is invalid for this new session. SSL Session IDs are unaffected by this
issue as only the server-issued Session ID is considered.
This fixes decryption of a SSL capture which uses the keylog file for
decryption, but where the session tickets are invalid because the server
was restarted.
Additionally, the session and session tickets stores are split to avoid
exporting session tickets via File -> Export SSL Session keys. Session
tickets should only be used internally, the CLIENT_RANDOM identifier is
shorter and is the preferred method to link secrets.
Change-Id: If96d7a4e89389825478e67e9a65401ce0607aa66
Reviewed-on: https://code.wireshark.org/review/13994
Reviewed-by: Michael Mann <mmann78@netscape.net>
This reverts commit 13ec77a9fc.
This commit introduces a segmentation fault for Lua code (uncovered by the test suite).
Change-Id: Ibc273d1915cda9632697b9f138f0ae104d3fb65e
Reviewed-on: https://code.wireshark.org/review/13813
Reviewed-by: João Valverde <j@v6e.pt>